CVE-2025-56091 is an operating system command injection vulnerability identified in the Ruijie RG-EW1800GX router firmware version B11P226_EW1800GX_10223121. The flaw exists in the handling of POST requests to the module_set endpoint within the Lua script located at /usr/local/lua/dev_config/config_retain.lua. An attacker can craft a malicious POST request that injects arbitrary OS commands, which the device executes with the privileges of the affected process. This type of vulnerability typically arises from improper input validation or sanitization in the web interface's backend code. Since the vulnerability allows command execution, it can lead to complete device compromise, enabling attackers to manipulate configurations, intercept or redirect traffic, deploy malware, or pivot into internal networks. No authentication is required to exploit this vulnerability, increasing its risk profile. The vulnerability was reserved in August 2025 and published in December 2025, with no CVSS score or patches currently available. No known exploits have been reported in the wild yet, but the potential for exploitation is significant given the nature of the flaw and the device's role in network infrastructure.

For European organizations, exploitation of CVE-2025-56091 could have severe consequences. The Ruijie RG-EW1800GX is a network router often deployed in enterprise and possibly critical infrastructure environments. Successful exploitation could allow attackers to gain persistent control over network traffic, intercept sensitive communications, disrupt network availability, or use the compromised device as a foothold for further attacks within the corporate network. This could lead to data breaches, operational disruption, and damage to organizational reputation. Given the lack of authentication requirement, attackers can exploit this vulnerability remotely if the device's management interface is exposed to untrusted networks. This risk is heightened in organizations with insufficient network segmentation or weak perimeter defenses. The absence of patches increases the window of exposure, making timely mitigation critical.

1. Immediately restrict access to the management interface of Ruijie RG-EW1800GX devices to trusted internal networks only, using firewall rules and network segmentation. 2. Implement strict ingress filtering to block unauthorized POST requests targeting the module_set endpoint. 3. Monitor network traffic for anomalous POST requests or unusual command execution patterns on the device. 4. Disable or limit Lua scripting capabilities on the device if possible, or apply configuration changes to harden the web interface. 5. Engage with Ruijie support to obtain any available patches or firmware updates addressing this vulnerability. 6. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts. 7. Conduct regular audits of device configurations and logs to detect early signs of compromise. 8. Plan for rapid incident response and device replacement if compromise is suspected. 9. Educate network administrators about the vulnerability and enforce strong operational security practices.